How to find subdomains of a domain

What is a subdomain?

A subdomain is a part of the main domain that can be used to separate your website. 

For example, if "example.com" is your root domain, you can use subdomains such as "blog.example.com", "shop.example.com", and "docs.example.com".

Then why would one want to find subdomains of a domain?

Finding subdomains is an important step to collect data for a penetration test.

People usually put enough efforts to keep their main root domain secure, but are more likely to neglect doing the same to their subdomains because they think it's hard to find them.

However, if you use existing online subdomain scanner tools, you will see that they can find subdomains pretty well.

example: a part of search results of google.com from pentest-tools 

To make sure all your websites and services are secure enough, you might want to find all subdomains including ones with vulnerabilities but you have forgotten.

For another example, if you are managing a blacklist of malicious domains, you might also want to find subdomains of them as they are from the same owner. 

If mali.com is found to have a malware, then it is very likely that example.mali.com or sec.mali.com are also malicious.

How can we find subdomains?

Just like the example mentioned above, you can of course use existing tools online.

However, if you need a bulk scan or want to do it in your local device, there is this amazing open source called SubBrute.

SubBrute is a subdomain enumeration tool. 

It bruteforces 101,010 subdomains to find the right ones, but does not send traffic directly to the target's name servers, which provides anonymity. 

It might take a bit of time (it says 15 minutes to exhaust the list on a home connection), but you can also choose to use smaller list of subdomains to enumerate.

It is accurate, anonymous, and easy to work with and customize.

If you're curious, check out their code on github in the following link:

https://github.com/TheRook/subbrute